While WordPress requires login credentials to access the wp-admin directory, adding an extra layer of authentication is a proven security practice for high-traffic sites. At WPBeginner, we recently noticed suspicious activity, prompting our hosting provider, HostGator, to recommend password-protecting wp-admin. Popular sites like Mashable use this method too. As experienced WordPress users, we'll guide you through proven steps to secure your site.
To keep it straightforward, we'll focus on cPanel hosting, which offers a user-friendly interface for this task.
Log in to your cPanel dashboard. Under the Security section, click Password Protect Directories.
A popup will appear. Select your web root, navigate to your WordPress installation folder, and choose the /wp-admin/ directory. You'll see a setup screen like this:
Check the box to protect the directory, then create a username and password. Save changes. Now, accessing wp-admin will prompt for these credentials first:
Generate a .htpasswd file using an online tool. Upload it outside your public_html directory, e.g., /home/yourusername/.htpasswds/public_html/wp-admin/passwd.
Create a .htaccess file in your /wp-admin/ directory with this code:
AuthType Basic AuthName "Admins Only" AuthUserFile /home/yourusername/.htpasswds/public_html/wp-admin/passwd Require valid-user
Replace paths and username as needed. This adds basic authentication reliably.
Server configurations can cause issues. In your root .htaccess (before WordPress rules), add:
ErrorDocument 401 default
This resolves common conflicts.
Now your wp-admin has dual authentication—a strong alternative to IP restrictions.
Update: Fixing Admin Ajax Issues
Password protection may break frontend Ajax (e.g., from plugins). To fix, edit the .htaccess in /wp-admin/ (not root) and add:
<FilesMatch "^.*(ajax|admin-ajax|wp-admin|wp-login).*$"> Order allow,deny Allow from all Satisfy any </FilesMatch>
Source: Proven community fix.
